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Abstract 


The invertibility of a random function (IRF, in short) is an important problem and has wide applications in cryptography. For 
example, searching a preimage of Hash functions, recovering a key of block ciphers under the known-plaintext-attack model, 
solving discrete logarithms over a prime field with large prime, and so on, can be viewed as its instances. In this work we 
describe the invertibility of multiple random functions (IMRF, in short), which is a generalization of the IRF. In order to solve 
the IMRF, we generalize the birthday theorem. Based on the generalized birthday theorem and time-memory tradeoff (TMTO, in 
short) method, we present an efficient TMTO method of solving an IMRF, which can be viewed as a generalization of three main 
TMTO attacks, that is, Hellman’s attack, Biryukov and Shamir’s attack with BSW sampling, and Biryukov, Mukhopadhyay and 
Sarkar’s time-memory-key tradeoff attack. Our method is highly parallel and suitable for distributed computing environments. As a 
generalization of Hellman’s attack, our method overcomes its shortcoming of using only one pair of known plaintext and ciphertext 
and first admits more than one datum in a TMTO on block ciphers at the single key scenario. As a generalization of Biryukov and 
Shamir’s attack with BSW sampling, our method overcomes its shortcoming of using only a few data with specific prefix in stream 
ciphers and can utilize all data without any waste. As applications, we get two new tradeoff curves: N? = TM?*D>, N = PD and 
D = t for block ciphers, and N? = PTM? D?, N =tPD and D > Tt for stream ciphers, where t is the number of random functions, 
that is, the number of independent computing units available to an attacker, N is the size of key space (for block ciphers) or state (for 
stream ciphers) space, D the number of data captured by the attacker, and T, M, P the time/memory/precomputation cost consumed 
at each computing unit respectively. As examples, assume that 4096 computing units can be available for the attacker. Denote by 
5-tuple (t, T, M, D, P) the cost of our method. Then the cost of breaking DES, AES-128 and A5/1 is (21, 273,277, 212, 24), 
(2!7, 2733 | 2733 | pA 2116) and (2!2, 272.7 | 2173 | 2173 | 2°47) respectively. 


© 2011 Published by Elsevier Ltd. 


Keywords: Random function, TMTO, block cipher, stream cipher, guess-and-determine attack 


1. Introduction 


Let n be a positive integer and {0, 1}” be the set of all bit strings of length n. For a given random function f over the 
set {0, 1}” and m images y1, y2,---: ,Ym of f, where m is a positive integer, how to find a preimage x of some y; under 
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f, i.e., yi = f(x), is an important and fundamental problem in cryptography |T], which is called an invertibility of a 
random function (IRF, in short) and has very wide applications. For example, searching a preimage of Hash functions, 
recovering a key of block ciphers under the known-plaintext-attack model, solving discrete logarithms over a prime 
field with large prime [2], and so on, can be viewed as its instances. 

The time-memory tradeoff (TMTO, in short) is a common method of solving the IRF. It is mainly based on the 
following birthday theorem: 


Lemma 1 (Birthday Theorem) Let S be a finite set, A and B be two nonempty subsets of S such that |A|-|B| = |S]. 
Then A N B is not empty with large probability. 


The TMTO of solving an IRF usually involves two stages: offline and online. At the one-time offline stage, one 
needs to precompute and store some pairs (x, f(x)) of preimage and image, which is viewed as the set A in Lemma 
A common treatment is to set up a lookup table. And at the online stage, he/she will match each y; directly in the 
second column of the lookup table, where y;’s are viewed as elements of the set B. If |A| -m > 2”, then he/she will 
obtain a preimage x of some y; with large probability according to Lemmal!] 

How to set up a more efficient lookup table is a key problem in the TMTO. Currently, many efficient setting- 
up-table techniques have been proposed, including Hellman’s table with distinguished points [4], perfect table [5], 
rainbow table [6] and so on. Among them, the rainbow table is believed to be one of the most efficient methods. 

The TMTO was first used in symmetric ciphers in 1980. Hellman first applied it to the security evaluation 
of the block cipher DES, and got a general tradeoff curve N* = TM? on block ciphers, where N is the size of key 
space, and T, M are the time/memory cost respectively. A common tradeoff point is taken T = M = N 3. In the rest 
of this paper we will refer to it as Hellman attack. It is noticed that in Hellman attack he viewed a mapping from the 
key space to the ciphertext space under a fixed plaintext Pp as a random function c = fp,(k). It led to a consequence 
that no matter how many plaintext-ciphertext pairs are captured in reality, only one pair of plaintext and ciphertext 
will be utilized in Hellman attack. In order to utilize multiple data at the online stage, some significant works were 
done from two aspects: a) as for block ciphers, Biryukov, Mukhopadhyay and Sarkar extended Hellman attack to a 
time-memory-key tradeoff at the multiple key scenario, where a fixed plaintext is encrypted by several different keys 
and the goal is to recover one among those keys [8], which will be referred to as BMS attack; b) as for stream ciphers, 
Babbage [9] and Golic independently proposed a TMTO, which will be referred to as BG attack. They viewed 
a mapping from an internal state to a truncation of output keystream as a random function and got a tradeoff curve 
N = TM,T = D and P = M, where N, D and P denote the size of state space, the number of required data at the 
online stage and the time cost at the offline stage respectively. However, a problem is open till now: 


Open problem 1 How does one utilize several pairs of known plaintext and ciphertext during Hellman attack against 
block ciphers at the single key scenario? 


In 2000, Biryukov and Shamir combined Hellman attack and GS attack together, and further presented a time- 
memory-data tradeoff (TMDTO, in short) for stream ciphers, which will be referred to as BS attack. The tradeoff curve 
of BS attack is N? = T M?D?, where T > D?, and one suggested tradeoff point is T = N? and M = D = N3. In order 
to remove the restriction between T and D, Biryukov, Shamir and Wagner improved BS attack by introducing 
a BSW sampling, which is indeed a simple combination of BS attack and the guess and determine attack (GDA, in 
short) and reduces the time cost by increasing the amount of data. There is a shortcoming in BS attack with 
BSW sampling, that is, large amounts of data are filtered at the online stage and only a few data with specific prefix 
are used. An interesting problem in BS attack with BSW sampling is shown as below: 


Open problem 2 How does one utilize all data instead of a few data with a specific prefix in BS attack with BSW 
sampling? 


In this work we try to give an answer to the above two open problems. Firstly, we generalize the IRF from one 
dimension to high dimension, and introduce an invertibility of multiple random functions (IMRF, in short). Secondly, 
as for an IMRF, we generalize the birthday theorem, and propose a general algorithm of solving it. Finally, we apply 
it to the cryptanalysis of symmetric ciphers and get two new tradeoff curves. Let t be the number of random functions 
in an IMRF, N be the size of key for block ciphers or state space for stream ciphers, and D be the number of data 
captured by an attacker. Here we assume that the attacker can access t independent computing units, each containing 
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a core and some memory and dealing with all computations related to one random function. Denote by T, M and 
P the time/memory/precomputation costs consumed for single computing unit respectively. Then two new tradeoff 
curves are N? = TM2D?, N = PD and D = 7 for block ciphers, and N? = 7°TM2D*, N = tPD and D > 7 for stream 
ciphers. An intuitive comparison of our method to existing methods is shown in Table [I] 


Table 1. A comparison of our method to existing methods 


Method Tradeoff curve Data Scenario Ref. 
block ciph 
Hellman attack N? =TM, P=N D=1 oe ed as [7] 
with single key 
N? = TM? D? block ciph 
BMS attack T > D? EE 
N = PD with multiple keys 
BG attack N=TM,P=M D>1 stream ciphers (9) 
N? = TM? D? 
BS attack T > D? stream ciphers [11] 
N = PD 
BS attack N? = TM? D? only a few data . 
: i stream ciphers 
with BSW sampling N = PD among D are used 
N? = TM? D? block ciphers 
D=T21 ee 
N=PD with single key 
N? = PTM’ D? block ciph 
Our method T k T> tD? : = “IP ns 
N = TPD} with multiple keys 
N? = PTM’ D? i 
D2>T stream ciphers 
N=tPD 


More precisely, our method has the following advantages: 


1. It is highly parallel. The number rt of independent computing units available to an attacker is also a key param- 
eter in our method. Each computing unit can do TMDTO attack for a target function independently. The larger 
T is, the smaller the time/memory/precomputation cost consumed at each computing unit will be. 

2. As for block ciphers, our method is a generalization of Hellman attack. Compared to the latter, our method 
admits more than one datum at the single key scenario. When a lot of plaintext/ciphertext pairs under the 
same key are captured, an attacker can utilize them to reduce the cost consumed at single computing unit. It 
is very significant for him/her to break block ciphers in the real world, especially, when he/she has access to a 
large amount of computing resources in a network or distributed computing environment. At the multiple key 
scenario, our method is a generalization of BMS attack. Compared to the latter, our method is more flexible 
and practical, and can utilize several data for each key. 

3. As for stream ciphers, our method is a generalization of BS attack with BSW sampling. Compared to the latter, 
our method overcomes the shortcoming of BS attack with BSW sampling that only a few data are used at the 
online stage, and can utilize all data to do TMDTO attack for a target cipher. Our method can be viewed as a 
nice combination of TMTO attack and GDA. 


As applications, we give some tradeoff points on some classical symmetric ciphers, including DES, AES-128, 
A5/1 [17], Grain-v1 [I8], Grain-128 [19], etc. Here we assume that 4096 computing units can be available for the 
attacker in Table[2] and the number of computing units are not restricted in Table [3] 

The rest of this paper is organized as follows. In Section[2]we first describe an IMRF, then generalize the birthday 
theorem, and finally provide an algorithm of solving the IMRF based on the generalized birthday theorem. As its 
application, Some tradeoff curves and points to block ciphers and stream ciphers are given in Sections[3. 1] [3.2|and[3.3] 
respectively. 


Table 2. Our method with a fixed t = 2!2 


Algorithm | Time T | Memory M | Data D | Precomp. T 
DES 2253 2253 212 74 
AES-128 7733 7733 212 2116 
A5/1 220.8 7208 7220.8 231.2 
Grain-y1 765.3 954.7 954.7 7933 
Grain-128 | 2102.7 7933 7933 2150.7 


Table 3. Our method on DES and AES 
| Algorithm | Comp. Unitt | Time T | Memory M | Data D | Precomp. T 


| DES 218.7 218.7 218.7 218.7 9373 
| AES 942.7 942.7 942.7 942.7 985.3 


2. Invertibility of multiple random functions 


2.1. Description 


In this section we describe an invertibility of multiple random functions (IMRF, in short), which can be viewed as 
a generalization of an IRF. 


Definition 1 Let n and T be two positive integers, and fi, fo,-++ , fr be t independent random functions from {0, 1}" 
to {0, 1}”. For any given D data: 
YL Y2 o Vig, €Img(fi), 
Y2 Y22, ‘11s Yd € Img(f2), 
i (1) 
Yr,  Yr2> t’ Yad, € Img(fz), 


where D = py di, d; = 1, and Img(f;) denotes the set of all images of f;, 1 < i < t, we call how to find a preimage x 
of some y; j under f, i.e., yij = fi(x), to be an invertibility of multiple random functions, where 1 <i<t,1< j < dj. 


Here it should be reminded of the following problem: 


Question 1 Let n and T be two positive integers, and fi, fr,-++ , fr be T independent random functions from {0, 1}" 
to {0, 1}". For any given D data y; j € Img(fj), where 1 <i<t,1< j <d;, D= Xid; for each fi, how to find a 
preimage x; of some y; j under fi, i.e., yi j = fixi). 


Though Question|i] looks very similar to an IMRF, they are two entirely different problems. The former is required 
to find a preimage of some y;, j for each fj, that is, total t preimages, which can be viewed to invoke an IRF simply T 
times, but the latter is required to find a preimage of some y; j for only one of f;’s. Obviously, an IMRF looks easier 
than Question [I] Thus we believe that an IMRF might have a more efficient solution than Question[I]in theory. In the 
next two sections we will discuss how to give a more efficient algorithm for an IMRF. 


2.2. Generalized birthday theorem 
In order to solve the IMRF, we will introduce a new birthday theorem, which is viewed as a generalization of the 
birthday theorem, that is, LemmalI] 


Theorem 1 (Generalized Birthday Theorem) Let S be a set of size N, and A}, +- , A+, B1, +++ , B} be 2t independent 
random subsets of S such that |A\| = +- = |A;| = n and |B,| = -++ = |B,| = m, where t, n and m are three positive 
integers. If tam > N, then there exists an integer i such that A;N B; is nonempty with high probability, where 1 < i < T. 
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Proof When n +m > N, the conclusion is trivial. Below we always assume that n +m < N. 
Denote by p the probability of the event that Aj N Bi = Ø. Then we have 


Cet) _ (=n) —m)! 
yt) N\N-n-m)! ` 


n 


p= Pr[A; A B; = Ø] = 


(2) 


Let q be the probability of the event that there exists an integer i (1 < i < tT) such that A; N B; + Ø. Due to the 
independence of all A; and B;, we have q = 1 — p`. It is expected that q > 5, that is, p` < $. 
By (2), 
o N= my = m= 1) =m=n4 1) Fa my 
NW - 1)---(N-n+ 1) a N- 


As a consequence, we have 
m mN 
T< (1- >)" <(1- —)” 3 
pP <( wn? ( wn? (3) 


1 
due to nt > X, Note that (1 — x)* < 1 for any 0 <x< we have 


1 1 
=l-p’>1-->e. 
q P z272 


So the conclusion follows. B 


2.3. An efficient algorithm for an IMRF 


Take S = {0,1}" and N = 2”. For a given IMRF, a simple method of solving it is to choose one function f; 
arbitrarily as a target and invoke the IRF once for it. Obviously, it is not optimal since it does not make efficient use of 
all known data. In this section we will provide a more efficient algorithm of solving an IMRF and give its complexity 
evaluation, which is mainly based on the above generalized birthday theorem. 


Algorithm 1: Set up lookup tables at the one-time offline stage 
Input: r random functions fi, f2,--- , fr; 
Output: lookup tables 7;,,; 
1 choose two suitable integers m and t such that m? = N; 
2 for each function f;, set up r = t/D lookup tables T;„ (1 < u < r), do 
3 choose r simple permutations oj, and let giu = Ciu © fi 1 <U <T; 
4 choose m startpoints Siuo (1 < v < m) randomly for each T; u; 
5 for each startpoint Siuvo do 
6 compute a chain Ciu, of length t 


Eiu Siu Siu 
Si,u,v0 — Siu, ++ 2 Siuy,t (4) 


and store the pair (Siu,v,0» Siu.v) into Tiu; 


7 end 
8 end 
9 return lookup tables T; u; 


‘Consider the function F(x) = x + In(1 — x) with x € [0, 1). Note that F’(x) = 1 - 4 < 0 for each x € (0, 1), consequently it is shown that 
F(x) is a strictly monotone decreasing function in [0, 1). Thus F(x) < F(O) = 0 for any x € (0,1), which implies that 1 In(1 — x) < —1, that is, 


d-»3 <1, 


Algorithm 2: Find a preimage x of some y; j under f; at the online stage 


Input: D data y; ; € Img(f}), 1 <i<t,1<j<dj,D= Dj) dis 
Output: a preimage x of some y; j under f; or failure message; 
1 fori = 1,2,---,tdo 


2 for j= 1,2,--- ,d; do 
3 for u = 1,2,---,rdo 
4 compute yj, ,1 = Ciu(Yi, j) and look up y; jı in the second column of T; u; 
5 if Av s.t. yi = Siu, v, then 
6 compute sj,,,),-1 from the startpoint S; u,,o along the chain Ciu, under giu; 
7 return x = Sjy,y-1 as a preimage of yi j under fi; 
8 end 
9 compute y;, jk = Siu(Vi,jk-1) and look up y;, jx in the second column of T;„ for 2 < k < t; 
10 if Av s.t. yi jk = Siu» then 
11 compute sj,,,»-« from the startpoint Siuvo along the chain C;,,,, under giu; 
12 return x = Siu, -k aS a preimage of yi j under fi; 
13 end 
14 end 
15 end 
16 end 


17 return failure message that no preimage x is found; 


Here we explain simply why it holds that y;; = f(x) with high probability when Algorithm [2|returns x. If x is 
returned at Step 7 in Algorithm [2] then we have 


Cini) = Yi jl = Siuye = Tin Fi(Siuys-V) = Tiu Si). 
Note that o7,,, is a permutation, it follows that y; ; = fi(x). If x is returned at Step 12 in Algorithm|2} we have 
BiulYijk-1) = Vipk = Sina = Siu Siuys-1)- 


Since gj, = Ciu © fi is also a random function, thus y; jk-1 = Siv,v,-1 holds with high probability. We can approximate 
that y; ;.-1 18 just equal to s;,,,,-1. And so on, we further get yj j1 = Siuys-e+1- SO 


Tini,j) = yi jl = Si,u,v,t-k+1 = CO iul fil Siuyt—-k)) = Tiul fil), 


which implies that y; ; = fj(x). 
As for Algorithms[I]and{2| it should be pointed out that: 


1. We assume that an attacker has access to T computing units, each having independent core and memory. Our 
assumption is indeed easy to meet in reality when T is not too large. Since the attacker has t independent com- 
puting units, thus he/she can set up the lookup tables T;„ simultaneously for one function f; on one computing 


unit in Algorithm|]] and match one group y;,1,Yi,2,'** , Yia; in the lookup tables 7;,, simultaneously on one com- 
puting unit in Algorithm [2| too. It shows that Algorithms [I]and B] can be done in high parallel at the level of 
functions. 


2. At the offline stage, a technique of Hellman attack with distinguishing points [4] can be used to set up the lookup 
tables T;,, to avoid data collision. Since mt will be far smaller than N, there are fewer collisions and merges in 
each T;,, in a practical attack. 


Below we discuss the cost of Algorithms|I]and[2} Denote by T, M and P the time/memory/precomputation cost at 
each computing unit respectively. For simplification, we assume that dı = --- = d, = d. Then D = Td. At the offline 
stage, each computing unit needs to store r lookup tables T;u, each T;„ containing m pairs of startpoint and endpoint 
and covering about mt data. Thus we have M = rm = mt/D. Since each pair of startpoint and endpoint stored in T;„ 
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is obtained by means of a chain C; u, of length ż, thus the precomputation needs to invoke g;,, total rmt times, that is, 
P = rmt = mt?/D. At the online stage, for each y; j, it needs ¢ queries in a lookup table T;,,,, and ¢ calls for g;,,. Thus 
each computing unit needs at most rtd queries for a group of images y;1, yi2,--- , Yia Of fi and total rtd calls for all 
Siw. In a practical attack, we can speed up one query in the lookup table T;„ by means of sorting or hash mapping 
when m is not too large. Here we approximate T = rtd = t/t, which implies T queries and T calls. In order to find a 
collision with high probability, by Theorem]1| it is expected that T x ~ xd =N. So we get the following conclusion: 


me 
D 
Theorem 2 For a given IMRF defined as in Definition [I] let T, M and P the time/fmemory/precomputation cost at 
each computing unit in Algorithms {I]and [2| respectively. Then we have 


N? = tTM’ D? and PD =N, (5) 
where T > D? /t and D > t. 


Proof The conclusion follows directly from M = mt/D, P = mt?/D, T = t/t, mt? = Nandr=t/D> 1. 


3. Application 


3.1. Block ciphers at the single key scenario 

Block cipher is one of classical symmetric ciphers and has been widely used in information processing to protect 
the confidentiality of message. A typical block cipher contains three main parameters: key, plaintext and ciphertext. 
Plaintexts are encrypted to ciphertexts under the control of keys in a block cipher. Due to the recovery of ciphertexts, 
the block cipher must be a permutation on the plaintext space. Therefore the plaintext space and the cipher space are 
the same in block ciphers. 

Let K and C be the key space and the plaintext space of a block cipher respectively. Here we consider the scenario 
of single key analysis of block ciphers. In Hellman attack, a fixed plaintext Po is chosen and the ciphertext C is viewed 
as a function fp,(K) on the key K, where C = fp, (K) = Ex(Po), and Ex denotes the encryption function of the block 
cipher. Since it is required to recover the specific unknown key K, Hellman attack uses exactly one datum at the online 
stage though an attacker may capture many plaintext/ciphertext data easily. Below we will provide a new TMDTO 
method, which overcomes the disadvantage of Hellman attack and can use more than one plaintext/ciphertext datum 
got under the same key. To the best of our knowledge, this is the first multi-data TMTO attack against block ciphers 
at the single key scenario. 

Suppose that t computing units are available for us. We first choose T fixed plaintexts P1, P2,--- , P} and T 
functions f; from the key space K to the ciphertext space C, where C; = fi(K) = Eg(Pi), 1 < i < t. If the size of K 
is not equal to that of C, for example, DES, a reduction function R is required. At this time we let f;(K) = R(Ex(P))). 
It is noticed that each f; in a block cipher is viewed as a random function, and they are mutually independent for 
different plaintexts. At the online stage, the attacker has known T plaintext/ciphertext pairs (P;, C;) of a block cipher 
under an unknown key K, where C; = Ex(P;), 1 < i < T. So the attacker attempts to recover K by Algorithms[I}and 
22] in Section [2.3] Note that there is only one datum used for each fj, that is, d = 1, thus D = r. Then we get the 
following tradeoff curve: 

N? =TM’D?,D =1,PD=N, (6) 


where T > D. Let n be the bit length of the key, i.e., N = 2”. Set t = 2'. Fora given T such that l < a a common 
tradeoff point is T = M = 232-3) and P = 2™!, If r is not fixed, then the curve T = M = D = 23 and P = 27 is 
suggested. 

It is shown in (6) that the number t of available computing units is also a key parameter. Obviously, the larger T 
is, the smaller the time/memory cost T and M at each computing unit will be. This is a very important property in 
the real world, which will help us to execute some practical attacks for some block ciphers in a distributed computing 
environment. Due to the restriction of practical computing resource, / is usually very small, for example, / < 20. 

Here we provide a simple comparison with Hellman attack. Let Titota, Mtotai and Piotat be the total time/memory/ 
precomputation cost of all computing units, that is, Tiota = TT, Mota = TM and Pota = TP. Note that D = t, by 
Formula (6), we have 

N? = Tio Moia and Prota = N, 


which is the same as that of Hellman attack. Thus we have the following conclusion: 
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Theorem 3 Fora block cipher, the time/memory/precomputation costs T, M and P at each computing unit are reduced 
linearly when Tt or D is increased. 


Finally, as examples, we apply the above method to the well-known block ciphers DES and AES with 128-bit key 
(AES-128, in short). The results for a fixed t = 2! are listed in Table [4] and for a varied t in Table[5] 


Table 4. Our method on DES and AES-128 for a fixed t = 2!? 
Time cost T | Memory cost M | Data D | Precomp. cost P | 


DES 225.3 225.3 212 94 | 
AES-128 273.3 273.3 212 2116 | 


Table 5. Our method on DES and AES-128 
Comp. Unit t | Time cost T | Memory cost M | Data D | Precomp. cost P 


DES 218.7 218.7 218.7 218.7 237.3 
AES-128 942.7 942.7 942.7 942.7 285.3 


3.2. Block ciphers at the multiple key scenario 


In Biryukov, Mukhopadhyay and Sarkar described a multiple key scenario on block ciphers, where a fixed 
plaintext was encrypted repeatedly by several different keys. At such a scenario they naturally extended Hellman 
attack to a time-memory-key tradeoff on block ciphers, and got the same tradeoff curve as that of BS attack on stream 
ciphers: 

N? =TM’ D}, 


where D, is the number of possible keys on the online stage. It is referred to as BMS attack. When we pay our eyes on 
an IMRF, it is found that our method is more suitable for the multiple key scenario on block ciphers, where the arbitrary 
number of plaintexts can be encrypted repeatedly by several different keys. Let r be the number of known plaintexts, 
denoted by P1, P2,--- , P+, and each plaintext P; be encrypted repeatedly by D; different keys kı, k2,--+ ,kp,. So we 
get total rD; data y;j = fi(kj) = Ex, (Pi) at the online stage, where 1 < i < r and 1 < j < Dx. We take each f; as 
a random function and view them as an instance of the IMRF. By Theorem|I| we get a new tradeoff curve for block 
ciphers at the multiple key scenario: 


N? = TM’°D? and tPD, =N, (7) 


where T > 7D: A common tradeoff point is that P = T = N 3, M=D,=tT=N 3A comparison of our method to 
BMS attack on AES-128 is shown as in Table [6] 


3.3. Stream ciphers 


Stream ciphers are another of classical symmetric ciphers and are mainly used in network communication. Stream 
ciphers have a very different behavior from block ciphers. A typical stream cipher usually contains a number of 
internal registers, a seed key and an initial vector (optional), and mainly consists of a state function and a filter 


Table 6. A comparison of our method to BMS attack on AES-128 
Plaintexts (r) | Time (T) | Memory (M) | Key (D) | Precomp. (P) 
BMS attack 1 280 256 232 2°6 
Our method 270 260 248 270 280 


function. In a stream cipher, the state function involves in the update of states of the internal registers, and the filter 
function derives a key sequence from states of the internal registers, which is used to encrypt plaintexts to ciphertexts. 

TMTO can be applied to stream ciphers by several methods, for example, BG/BS attack, HS attack [15], DK 
attack [16], and so on. Compared with the TMTO for block ciphers, the TMTO for stream ciphers has the advantage 
that it can utilize many data at the online stage. Here we focus on BS attack with BSW sampling. In BS attack, a 
mapping y = f(x) from the state x to the prefix y of the output keystream is viewed as a random function on the state 
space of size N, and its goal is to recover some state x of the internal registers from a piece of output keystream bits. 
The BSW sampling is a technique of combining TMTO attack and GD attack together, and is used to improve BS 
attack. For a stream cipher, let n be the bit length of its states. Suppose that an attacker can determine the rest /-bit 
value xo of a state x from yo by guessing the (n — /)-bit value x’ of x, where y = yo || y” = f(x) = f(% || x’), xo and yo 
have / bits, and x’ and y’ have (n — l) bits. Then a new function y’ = f,,(x’) on a (n — 1)-bit subspace of the state space 
can be derived from y = f(x), which is dependent on the value of yọ and shown in Fig. 1. 


state x Xo x 
prefix y Yo y' 


Fig. 1 Diagram of deriving fy from f 


In BS attack with BSW sampling, the prefix yo is chosen to a fixed value, denoted by a, and the function y’ = fa(x’) 
is viewed as a random function on the space of dimension n—/. BS attack with BSW sampling reduces the target space 
from n bits to n — / bits, but leads to a disadvantage: though an attacker has captured D prefixes y, only the prefixes 
y whose first /-bit yọ matches a are valid, that is to say, only 2~'D data can be used at the online stage, and most data 
(about (1 — 2~/)D) are useless indeed. Below we give anew TMDTO method, which overcomes the disadvantage of 
BS attack with BSW sampling and utilizes all D prefixes y at the online stage. Our method can be viewed as a nice 
combination of TMTO attack and GD attack. 

Similarly, here we still assume that at least t computing units are available for an attacker. For a given stream 
cipher, we first analyze its security by means of GD attack. Suppose that the state x can be recovered from a prefix 
y by guessing the (n — /)-bit value of x. Then we analyze its security again by means of TMTO attack. We choose T 
fixed distinct /-bit prefixes a), a2,--- ,ar and T functions fa, fa.,°-- » fa,» and run Algorithms[i]and[2]as described in 
Section[2.3]. Let D be the number of prefixes y, which can be extracted from a (n + D — 1)-bit successive keystream. 
For each f,, on average, about 2~'D prefixes y belong to the image of f,, that is, d = 2~'D. Note that T must be no 
more than 2! and the preimage space of f, has size 2~'N for any a, thus we have 


N? = PTM? D? and TPD = N, (8) 


where T < 2! < D and T > 2”tD?. 

For a given stream cipher, let n and k be the bit lengths of the state and seed key respectively. Since log, T is 
usually very small due to the limit of computing resource, it is easy to meet the condition / > log, t for a maximal 
l got in GD attack. Thus we usually take / = log, T. In this case all D data are used at the online stage without any 
waste. Below we take / = log, T such that / < 7 and give several common tradeoff points: 


e T = 2505), M = D = 25 and P = 230-9, 
e T = M=2%!, D = 2% and P = 23%! if n = 2k. 


It should be pointed out that it is also meaningful when / > log, T. Though not all data are used in this case, the 
time/memory/precomputation cost at each computing unit can also be reduced. Let L be the maximal value of / got 
by GD attack for a stream cipher. If L > log, 7, then the following tradeoff point is taken: 
e T = M =D = (T°N?):, P = (t?N*)5 and l = [t log,(tN)] when L > 4 log,(tN); 
9 


e T = (rt !2-'N?)3, M = D = (2't?N)3, P = (2't!N?)3 and I= L when log, T < L < 4 1log,(tN). 


Below we provide a simple comparison with BS attack with BSW sampling. Let Tiota, Mtotar and Prota be the 
total time/memory/precomputation cost of all computing units, that is, Tiota = TT, Miota = TM and Protar = TP. By 
Formula (8), we have 

N? = Toa Mota D” and ProaD = N, 


total 


which is the same as that of BS attack. Thus we have the following conclusion: 


Theorem 4 For a stream cipher, the timejmemory/precomputation costs T, M and P at each computing unit are 
reduced linearly when T is increased. 


Finally, as examples, our method is applied to the stream ciphers A5/1 [17], Grain-v1 and Grain-128 
respectively. Note that / is taken at most 16, 28 and 48 in A5/1, Grain-v1 and Grain-128 respectively [20], the results 
of our analysis for a fixed t = 2! are listed in Table[7| 


Table 7. Our method on A5/1, Grain-v1 and Grain-128 for a fixed T = 212 


Units t | GD param. / | Time T | Mem. M | Data D | Prep. P 
A5/1 212 12 220.8 220.8 220.8 231.2 
Grain-v1 212 28 265.3 254.7 254.7 293.3 
Grain-128 212 48 2102.7 293.3 293.3 2150.7 
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